fusion-devtools
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Installs the
fusion-devtoolsutility as a .NET global tool from a vendor-controlled NuGet package registry (statoil-proview.pkgs.visualstudio.com). This is a legitimate dependency for the skill's functionality. - [COMMAND_EXECUTION]: Executes shell commands via
fdevandcurlto interact with Fusion REST APIs, discover services, and resolve identities. This includes complex command chains involving environment-specific endpoints. - [COMMAND_EXECUTION]: Provides functionality to activate Azure PIM roles via
fdev pim azure activate. This is a high-privilege operation. The skill properly mitigates risk by instructing the agent to always confirm with the user before execution. - [CREDENTIALS_UNSAFE]: The skill is designed to retrieve and manage OAuth access tokens. It includes specific safety guidance to truncate or redact tokens in user-facing output to prevent credential exposure.
- [PROMPT_INJECTION]: The skill ingests data from external API responses, which constitutes an indirect prompt injection surface. The impact is mitigated by the skill's focus on structured data processing and explicit instructions for redacting sensitive fields.
Audit Metadata